As brought up by Bruce and many others over the years, the TSA has yet to identify a single case where this list… umm… you know… actually caught a terrorist. Yes, they’ve snagged some people with warrants, but this is supposedly the terrorist watch list, not the random dumb-ass criminal watch list.

(A special request to the TSA- when you add the colonoscopies, can we get copies to give to our physicians? I’m almost 40 and that would be a cool way to save on health care costs).

Note: I don’t blame the people working hard at the checkpoints (other than the few bad eggs common in all workplaces). They are in a crappy position and we shouldn’t blame them for the idiocy of their superiors.

Most people don’t think of me as a photographer, but it’s true, I am. Not a good one, mind you, but a photographer. I take a lot of photos. Some days I take hundreds, and they all pretty much look the same. Crappy. Nor am I interested in any of the photos I take, rather I delete them from the camera as soon as possible. I don’t even own a camera; rather I borrow my wife’s cheap Canon with the broken auto-cover lens cap, and I take that little battery sucking clunker with me every few days, taking photos all over Phoenix. Some days it even puts my personal safety in jeopardy, but I do it, and I have gotten very stealthy at it. I am a Stealth Photographer.

What I photograph is ‘distressed’ properties. Hundreds of them every month. In good neighborhoods and bad, but mostly bad. I drive through some streets where every third house is vacant or abandoned; foreclosed upon and bank owned in many cases, but often the bank simply has not had the time to process the paperwork. There are so many foreclosures that the banks cannot keep up, and values are dropping fast enough that the banks have trouble understanding what the real market value might be. So in order to assess value, in Phoenix it has become customary for banks to contract with real estate brokers to offer an opinion of value on a property. This is all part of what is called a Broker Price Opinion, or BPO for short. Think of it as “appraisal lite”. And as my wife is a real estate broker, she gets a lot of these requests to gauge relative market value.

Wanting to help my wife out as much as possible, I take part in this effort by driving past the homes and taking photos of homes the banks are interested in. And when you are in a place where the neighbors are not so neighborly, you learn some tricks for not attracting attention. Especially in the late afternoon when there are 10-20 people hanging around, drinking beer, waiting for the Sherriff to come and evict them. This is not a real Kodak moment. You will get lots of unwanted attention if you are blatant about it and walk up and start shooting pictures of someone’s house. Best case scenario they throw a bottle at you, but it goes downhill from there quickly.

So this is how I became a Stealth Photographer. I am a master with the tiny silver camera, sitting it on the top of the door of the silver car and surreptitiously taking my shots. How to hold the camera by the rear view mirror but pointing out the side window so it looks like I am adjusting the mirror. I have learned how to drive just fast enough not to attract attention, but slow enough so the autofocus works. I have learned how to set the camera on the roof with left hand, shooting across the roof of the car. My favorite maneuver is the ‘Look left, shoot right’ because it does not look like you are taking a picture if you are not looking at the property. Front, both sides, street, address and anything else the bank wants, so there are usually two passes to be made. There is a lot to be said about body language, when to make eye contact, and confidence in order to avoid confrontation for personal safety and security. I have done this often enough now that it is totally safe and seldom does anyone know what I am doing.

Sometimes I go inside the homes to assess condition and provide interior shots. I count bedrooms, holes in the walls, determine if any appliances or air conditioning units still remain. Usually the appliances are gone, and occasionally the light fixtures, ceiling fans, light switches, garage door opener and everything else of value has disappeared. One home someone had even taken the granite counters. Whether it is a $30k farmer’s shack or a $2M dollar home in Scottsdale, the remains are remarkably consistent with old clothes, broken children’s toys, empty 1.75?s of vodka and beer bottles being what is left behind.

For months now I have been hearing these ads on the radio about crime in Phoenix escalating. The Sherriff’s office attribute much of this to illegal immigration, with Mexican Mafia ‘Coyotes’ making a lot of money bringing people across the border, then dropping immigrants into abandon houses. The radio ads say if you suspect a home of being a ‘drop house’ for illegal immigrants to call the police. I had been ridiculing the ads as propaganda and not paying them much attention with immigration numbers were supposed to be way down in Arizona. Until this last week … when I walked into a drop house. That got my attention in a hurry! They thankfully left out the back door before I came in the front, leaving nothing save chicken wings, broken glass, beer and toiletries items. This could have been a very bad moment if the ‘Coyotes’ had still been inside. Believe me, this was a ‘threat model’ I had not considered, and blindly ignored some of the warnings right in front of my ears. So let’s just say I am now taking this very seriously and making some adjustments to my routine.

Twelve people were injured in one derailment, and the boy is suspected of having been involved in several similar incidents.
Miroslaw Micor, a spokesman for Lodz police, said: “He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks.
“He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.

That little video has started an uproar. Based on the press coverage you’ve got raving paranoids on one side, and those in absolute denial on the other. We’re already seeing accusations that it was all just staged to get some funding.

I’ve written about SCADA (the systems used to control power grids and other real-world infrastructure like manufacturing systems) for a while now. I’ve written about it here on the blog, and authored two research notes with my past employer that didn’t make me too popular in certain circles. I’ve talked with a ton of people on these issues, researched the standards and technologies, and my conclusion is that some of our networks are definitely vulnerable. The problem isn’t so bad we should panic, but we definitely need to increase the resources used to defend the power grid and other critical infrastructure.

SCADA stands for Supervisory Control And Data Acquisition. These are the systems used to supervise physical things, like power switches or those fascinating mechanical doohickies you always see on the Discovery Channel making other doohickies (or beer bottles). They’ve been around for a very long time and run on technologies that have nothing to do with the Internet. At least they used to.

Over the last decade or so, especially the past five years, we’ve seen some changes in these process control networks. The first shift was starting to use commodity hardware and software, the same technology you use at work and home, instead of the proprietary SCADA stuff. Some of these things were O L D old, inefficient, and took special skill to maintain. It’s a lot more efficient for a vendor to just build on the technology we all use every day; running special software on regular hardware and operating systems.

Sounds great, except as anyone reading this blog knows there are plenty of vulnerabilities in all that regular hardware and software. Sure, there were probably vulnerabilities in SCADA stuff (we know for a fact there were), but it’s not like every pimply faced teenage hacker in the world knew about them. A lot of new SCADA controllers and servers run on Microsoft Windows. Nothing against Microsoft, but Windows isn’t exactly known as a vulnerability free platform. Worse yet, some of these systems are so specialized that you’re not allowed to patch them- the vendor has to handle any software updates themselves, and they’re not always the most timely of folks. Thus we are now running our power plants and beer bottling facilities on stuff that’s on the same software all the little script kiddies can slice through, and we can’t even patch the darn things. I can probably live without power, but definitely not the beer. I brew at home, but that takes weeks to months before you can drink it, and our stash definitely won’t last that long. Especially without any TV.

Back to SCADA. Most of these networks were historically isolated- they were around long before the Internet and didn’t connect to it. At least before trend number two, called “convergence”. As utilities and manufacturing moved onto commodity hardware and software, they also started using more and more IT to run the business side of things. And the engineers running the electric lifeblood of our nation want to check email just as often as the rest of us. And they have a computer sitting in front of them all day. Is anyone surprised they started combining the business side of the network with the process control side? Aside from keeping engineers happy with chain letters and bad jokes, the power companies could start pulling billing and performance information right from the process control side to the business side.

They merged the networks. Not everyone, but far more companies than you probably think.

I know what you’re all thinking right now, because this is Securosis, and we’re all somewhat paranoid and cynical. We’re now running everything on standard platforms, on standard networks, with bored engineers surfing porn and reading junk email on the overnight shift.

Yeah, that’s what I thought, and it’s why I wrote the research.

This isn’t fantasy; we have a number of real world cases where this broke real world things. During the Slammer virus a safety system at a nuclear power plant went down. Trains in Sydney stopped running due to the Sasser virus. Blaster was a contributing factor to the big Northeast power outage a few years ago because it bogged down the systems the engineers used to communicate with each other and monitor systems (rumor has it). I once had a private meeting in a foreign country that admitted hackers had gained access to the train control system on multiple occasions and could control the trains.

Thus our infrastructure is vulnerable in three ways:

A worm, virus, or other flaw saturating network traffic and breaking the communications between the SCADA systems.

A worm, virus, or other attack that takes down SCADA systems by crashing or exploiting common, non-SCADA, parts of the system.

Bad stuff, but all hope isn’t lost. Not everyone connects their systems together like this. Some organizations use air gaps (totally separate, isolated networks), virtual air gaps (connected, but an isolated one-way connection), or air-locks (a term I created to describe two separate networks with a very controlled, secure system in the middle to exchange information both ways, not network traffic). NERC, the industry body for the power networks, created a pretty good standard (CIP, Critical Infrastructure Protection) for securing these networks that went into effect last year. When I talk to power guys these days about network separation, I don’t get nearly the strange looks I did five years ago.

Another thing in our favor is that to cause serious damage like we saw in the video, you reallyneed to know what you’re doing. You have to gain access to the network, disable safeties, and know exactly what to do.

Well, more bad news. I’m not worried about Joe Hacker at Starbucks or whatever they use for Internet cafes in Russia (Starbucks?) taking down the North American power grid. But it’s very clear that foreign nations have the expertise to do this, especially over in China where they seem to be having all sorts of fun on our networks. Terrorists? They’re better off just blowing up a few major transformers. That will take out major parts of the grid, might blow up some generators (years ago the one at the University of Colorado blew up during a big blackout), and those transformers are both costly and may take years to replace. Besides, terrorists are blood-obsessed psychotics, despite their threats to attack our economy and infrastructure.

In summary we are definitely vulnerable to just the right kind of attack, but it’s a problem we can get our arms around and solve with a little investment and common sense. Not everything is vulnerable yet, and we’re early enough on the convergence trend that we can still stop and put the right security precautions in place.

I’m glad that video hit the news; maybe we’ll get the right amount of dollars in the right places so we can take this one off the table.

Unless the bad guys just get jobs at the power plants and flip switches during the midnight shift.

Aside from discouraging freedom of thought, something I doubt the Founding Fathers ever thought needed protection, how is the youth of today supposed to prepare for the coming alien invasion? This is a serious issue and we can no longer let these gutless liberals undermine the defense of this country by preventing our future warriors from learning the latest frag techniques for radioactive mutants, alien invaders, or Mo from the Simpsons (love that mod).

The quote of the year:

“They decided he was a terroristic threat,” said one source close to the district”s investigation.

“Terroristic”. That’s just awesome. Nice to see sniglets returning to the common vernacular related to national defense.

Terrorism is a tactic, which is also defined as a particularly nasty crime. There are a lot of definitions, but I tend to use various versions of the U.S. Code of Federal Regulations:

…the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives” (28 C.F.R. Section 0.85).

So tell me, how does the following meet the definition of terrorism?

A 14-year-old boy who allegedly kidnapped a classmate at knifepoint and was later found with a backpack full of restraining devices and weapons will be charged with terrorism, Maricopa County Attorney Andrew Thomas said.
The Mesa boy, who attended Powell Junior High School, also faces charges of aggravated assault with a deadly weapon, kidnapping and carrying weapons on a school campus.

A very bad crime? Yep. Terrorism? Nope. Only in the heads of over-zealous prosecutors who don’t understand terrorism, or the risks of abusing the laws against it.

This kid needs to be dealt with, but how can you possibly compare this to real terrorist acts?

Last week was one of those crazy travel ones. I headed to NYC for some client work, and since my wife had never done the tourist route there she came along and I took some time off to show her around. I’m not from NYC, but I’m from the part of Jersey that likes to think we are (technically, I lived closer to Manhattan than some of the other boroughs). After a few days in the city we headed down to Richmond, VA to catch up with my family.

It was a ton of fun- we caught up with a bunch of friends and spent a couple nights staying with Chris Pepper and his wife Amy- who it turns out are pretty exceptional hosts, even when their daughter’s a little sick.

It’s weird going back to post-9/11 New York. Aside from the skyline of my childhood being forever altered, there’s a different vibe in parts of the city. (And why the f* don’t we have any real progress on a new WTC?!? Are politics so bad in this country we can’t get anything done anymore?).

One of those vibes is security- I hadn’t been in the Empire State Building for about 10 years, but the day was clear so we decided to give it a shot. Aside from the dramatically inflated prices and lines (carefully hidden so you can’t see them where you buy your ticket) there was the ever-present x-rays and magnetometers.

Magnetometers de-tuned to such a level that I walked through with my jacket, belt, and watch on- and cellphone and camera in my pocket.

Maybe that thing would have stopped a rifle, but I had more than enough metal for all sorts of badness on me.

Then again, I suppose if it’s all just for show, there’s no reason to actually inconvenience people. No wonder ticket prices are up.

I was catching up on some old TiVo and saw an ADT commercial that really tweaked me. You know the one, it has a woman alone in the kitchen when the bad guy smashes the window to pop the door and do all sorts of nastiness. Her alarm starts blaring, scares off the bad guy, and it’s ADT to the rescue.

There are two things that bother me about this:

The average default alarm installation doesn’t include glass break detection. Those free-with-service ADT (or anyone) systems just include contact sensors for someone opening doors or windows, and usually one motion detector. Glass breaks can cost over $100 more each, only cover about a 30’ radius, and are prone to false alarms. Sure, maybe the alarm would go off when the bad guy opened the door, but only if…

How many of you set your alarm when you’re home during the day? Nope, maybe only those of you in a real nasty part of town. Definitely not in the nice suburbs like our luckless victim.

I really don’t like deceptive advertising- especially when it imparts a false sense of security. I wonder how many people think those sensors on their windows will go off if someone smashes them? How about all those people that lose bikes out of their garages every year because garage doors aren’t normally sensored?

I realize I’m exaggerating a bit to make a point. Just having an alarm can really reduce your risk of any kind of break in, and if you’re in a higher risk area I recommend alarms (and have one myself in Phoenix). But if advertising is going to play on FUD, it’s irresponsible to create a false sense of security. Having dealt with multiple alarm installers over the years, very few of the sales guys (as opposed to the installers) educate customers on the gaps in the system, or additional high-cost options.*

*which is a little surprising, although I suspect they worry about sticker shock to the average consumer.

Back in May 1997 I was running security for the annual “Kinetic Sculpture Challenge” in Boulder; a big costume party/concert/race/BBQ/festival/rite of spring sponsored by the local radio station. It’s about a 30,000 person event and I ran a staff of about 90 paid and volunteers. It was one of the more enjoyable events to work every year (the year I was working out East as a paramedic I even flew back just for that weekend).

But that morning wasn’t nearly as much fun as usual. The police were all on edge, all looked like they had a bad night, and were far more aggressive than usual. When we opened the gates they were literally hand searching every single car coming into the parking lot for alcohol and other contraband. Traffic was backed up for miles, and the entire place had a very uneasy feeling.

I asked one of my friends on Boulder PD what was going on and she just stared at me quizzically.

“You mean you don’t know?”
“Know what?”
“Last night. You realize there was a riot?”

Riot? Boulder? Outside of the 60s? I mean, we’re talking about a town that would build houses out of hemp if they could figure out the engineering. We’re talking home to the cosmic center of the universe (behind the old Pasta Jay’s, if you’re wondering).

The night before as I was going to bed early to make my 6 am crew call, the students of Boulder banded together to fight for social justice. That’s correct, a full on riot with bricks, tear gas, burning couches, and flipped cars all in the fine tradition inherited from the social consciousness of protesting Vietnam and racial inequality.

Okay, it was about beer, but times change.

That entire academic year Boulder was brewing with hostility. A town known for its relaxed, hippie attitude was really a nine month slow burning fuse of conflict that finally detonated during finals in a series of evening riots with some serious violence.

“What do we want!”
“Beer!”
“When do we want it?”
“Friday after finals!”

A lot of people know that the riots were the result of a severe police crackdown on underage drinking. Officers would literally stop students randomly in the streets and administer breathalyzer tests, handing out tickets on the spot. They’d bust parties by surrounding the house and grabbing everyone inside (or jumping out the windows), testing them all, and handing out tickets. Students started driving drunk more often just to avoid an MIP! (Minor In Possession ticket). But not a lot of people know what caused this crackdown, and why tensions rose in the course of a single academic year.

Due to some random coincidences I was right in the middle of it.

Two major events caused the tension, and at the heart of it is economics. First, in (I think) 1993 the CU athletic department changed their contract for security for football games. For years it was run by the CU Program Council- a semi-independent student group that put on all the concerts and other entertainment events. I was security director that year, and for insurance and cost reasons the athletic department bid out the contract instead of using a student group (despite our being recognized as one of the best security teams in the Big 8 ).

We followed a principle known as “peer security”, where the “Event Staff” is composed of a demographic close to the attendees. It’s a great way to reduce tension and relate to the crowd. Despite there being two respectable event security firms in the area, one of which we had very close ties to (CSC), the athletic department awarded the contract to the lowest bidder- “Andy Frain Associates”. Andy Frain ran the local airport screening, and didn’t have a single local manager with any event experience. I ran the first few games as a subcontractor with my own people, but after they started bussing in high school students for minimum wage, we pulled out.

With no effective crowd control the police, who used to just sit on the sides to back us up, had to start taking a more proactive role and go into the crowd. There’s no way that ends well- police have different training and responsibilities. When they break up a fight people get arrested. They have firearms at their waists, a nerve-wracking experience if you’re surrounded on all sides, that instantly escalates any situation. Once one officer started macing students charging the field after a big victory, the nature of the stadium during games, and between police and students, was never the same.

All because someone wanted to save a dime and use cheap labor.

The next cause was far more tragic. One night, a couple years earlier, a group of students in a Ford Explorer decided to get drunk and go car surfing down Flagstaff Mountain, a twisty turny mountain road. The car rolled, killing at least one young girl (I can’t remember the details, there may have been 2 deaths). Flagstaff was part of the district where I was a volunteer firemedic. While I wasn’t on the call, my coworkers told me about it. It wasn’t a pretty scene.

The parents, understandably, were devastated. One totally legitimate response was to attack the culture of alcohol tolerance in Boulder. It led to the Boulder Police applying for, and winning, a grant to fight alcohol abuse among minors. The decision was made to ramp up enforcement to never-before seen levels.

And it all came to a head in 1997. The relationship with police had been becoming more adversarial since 1993, culminating with that macing incident I mentioned that made the national news. At the same time, once the grant was processed and new enforcement started that relationship degraded to the point where it caused the riots.

I’m not justifying the action of those riot participants- especially the ones that nearly killed some of my law enforcement friends and put one on disability. Bricks to heads are friggen insane.

But the cause wasn’t some new shift in student demographics. Or some instant change in police tactics. Tragedy, and money, were at the heart of the problem. The low bid contract forced the police to begin more directly confronting students. The alcohol enforcement grant exacerbated the incident, to the point where students could no longer even drink in private parties, or walk home, without fear of a criminal record.

Sometimes the incentives we put in place have unintended consequences. Make sure you understand the behavior you’re trying to change, and where you actions may really lead you.

I’m a bit of an egotistical asshole. Yeah, no surprise there. But sometimes I realize the old confidence perhaps goes a little too far. I had two incidents in the past two days that made me realize I started to cross that line again.

The first was on a private, non-work email list. Someone asked for a simple opinion and I ended up delivering the sermon from the mount (I hear Jews do that every now and then). It should have been a two sentence answer, and I responded with a page of dribble that this individual most likely already knew. Sure, it was accurate dribble, but they didn’t need to hear it from me, and then I had the audacity to follow it up with a second private email of something I’m sure they’d already seen.

The second incident was tonight in Karate class. I studied TaeKwon-Do for about 15 years before moving to Arizona. It’s basically the style Michael Farnum has recently taken up. After a two year break I recently started back up, but with a different style, due to an instructor I hit it off with. We were sparring tonight and he was scoring on me at will. I’ve competed as high as nationals, but the reality is I was totally humbled. I could see exactly what he was doing (which I suppose is good), and couldn’t do a damn thing to stop it (bad when you’re getting hit in the face).

Anyway, I took a step back and realized that it’s time for me to take the proverbial chill pill. Even when we’re really good at something, it’s all to easy to believe your own hype and take it too far. Especially when much of that hype is self generated.

When I first started working as a paramedic I remember one of my instructors telling us you had to be cocky to survive the job, but if you went too far you’d kill people. Maybe even kill yourself.

I don’t think I’ve come close to that line, but this week’s made me realize that it’s yet again time to take a step back, re-evaluate, and mellow out. Perhaps I let the stress of building a new house get to me.

Not that I won’t still be an egotistical asshole, but at least I won’t be an obnoxious, out of control egotistical asshole.

And, to that person I responded to on that email, if you’re reading- sorry I went overboard.

Even Maverick learned his lesson and came back to the game stronger. (Seriously, if you haven’t caught the movie reference, you need help).

For the record, I wrote this one for myself, but if any of you get any value out of it so much the better.

Hope this isn’t too touchy feely, but I’m getting used to the new content of the blog myself. How weird, I just admitted something I’d normally only share with close friends at the bar to, like, the entire Internet.

I went to the Broncos vs. Cardinals game yesterday here in Phoenix (Broncos won, in case you were wondering). On the way in we were subject to a pat down of the type I discussed here.

What a joke.

Basically, it looks like the employees at the gate were given strict, rote guidelines on how to search. Some of it good (no use of the palm of the hand, to limit accusations of groping), but most of it bad. I’m fairly certain that you don’t need to brush the entire length of someone’s arm when they’re wearing a t-shirt. Also, it’s probably kind of important to check someone’s coat pockets.

While an untrained observer might look at one of these searches next to one of the ones we used to perform and think they’re the same, a trained observer will pick up on a stark difference.

These guys moved their hands by rote on a pre-set pattern. The searchers never adjusted based on the person, and never used their eyes. It’s like they were magnetometers without brains.

Our teams, even the untrained temporary help, were instructed to use their eyes and heads. Don’t just follow the same pattern over and over (although we had a minimum pattern to start); use a little judgement. Most of the time it might look the same, but the odds of finding something are significantly higher.

Then again, maybe I’m just waxing nostalgic and we weren’t any better.

But seriously- if any of you are senior managers in the NFL give me a call- you’re wasting everyone’s time and increasing your risk of lawsuit with what I saw.